Vista gadget attack embarrasses Microsoft

Windows Vista flaw enables remote attack

An embarrassing flaw in Windows Vista's sidebar gadgets could allow enable a 'remote execution attack' allowing attackers to gain control of an affected PC.

Security vendor Finjan has claimed the credit for spotting the flaw, which Microsoft only patched this week in its monthly updates.

The exploit involves one of the most apparently innocent elements of Vista, namely the sidebar 'gadgets' whereby users load one from a selection of small utilities on to the desktop. It turns out that three of these - the contact, weather and RSS feed gadgets - can be exploited.

Finjan's part of the discovery relates to the contact gadget, and the company has offered a video demonstration detailing how the exploit might work in practice. As the abridged video makes clear, the attack would require only that a user had the affected gadget loaded on the sidebar, and carried out the actions described of innocently accepting a spoof contact from a compromised website.

In its Patch Tuesday cycle, Microsoft listed the flaws as 'important' in its security bulletin, one below the most severe rating, 'critical'. The vulnerability was the only one in either category to affect only Vista, with such issues still being a rarity seven months after the operating system's consumer launch.

Rare, perhaps, but not unheard of. Only last week, news emerged of a problem in a third-party Vista driver module that could allow unsigned and potentially malevolent drivers to gain access to the Vista kernel, its most protected ring.

"This discovery is the latest example of the close cooperation between our Malicious Code Research Center and Microsoft with the goal of securing users from potential malicious attacks," crowed Finjan CTO Yuval Ben-Itzhak. It has not been disclosed who found the flaws in the other two gadgets.